“What’s the cut, Papa?”
“Juicy, Junior. Real juicy.”
Sorry, I couldn’t help myself. Tarantino is too quotable. And that scene, it’s exactly how I imagine a gang of cyber crooks—from the likes of Metel, GCMAN, and Carbanak 2.0—sitting around debating whether or not some long-term APT-persuasion hack is worth it.
But with paydays reaching upwards of a $1 billion, I’d say, yeah, those cuts are downright succulent. And the means by which to achieve them are much more appetizing than what Mr. White, Pink, Brown, Blonde, Orange, and Blue had to go through.
Stuck in the Middle with You
Banking botnets may be passé, but banking heists are all the rage. What’s changed is the hacking strategy. Today, APTs (and, apparently, ATMs) are where it’s at.
While not stick-‘em-up-gun-point robberies, the Metel attacks were half cyber, half physical. The group used spear-phishing emails to infect a bank’s network with malware and gain access to its money-processing systems, stealing credentials and taking over a domain controller. Once they’d set everything up inside the network, automating the rollback of ATM transactions so that account balances would appear untouched, these guys went around—literally thieves in the night—from ATM to ATM, withdrawing cold hard cash.
Another group, GCMAN, also used APT-style techniques (e.g., spear-phishing emails with a malicious RAR archive, and legit pen-testing tools like VNC, Putty, and Meterpreter for lateral movement) to pull off a different set of bank heists. Patient as spiders spinning their webs, GCMAN sat in one bank’s network for 18 months before the thieving began. But when it did (the group used a cron script to transfer money to multiple e-currency services), the bank bled cash at a rate of $200/minute.
Like NSA Chief Hacker Rob Joyce indicated during his recent talk at the Usenix Enigma conference, hackers are patient and persistent. They’ll wait and wait and wait for the right moment to attack, especially when the reward is big enough. So it’s really not surprising that more cyber crooks are going in for the long haul. These recent Eastern Bloc robberies serve as great examples of how all organizations need to understand that, in all likelihood, their systems have already been compromised and they need to readjust their focus to get more pervasive visibility into their networks.
Although it’s increasingly common to find that threats have been lying dormant in networks for long periods of time, this doesn’t have to be the case. Companies need to take a different tack, become more proactive, and turn the tables on folks like these banking bandits. They can do so by re-architecting existing security stacks around visibility for the best chance at surfacing areas of compromise and shutting down theft, while also continuing to strengthen and maintain perimeter defenses.
I’ve said it before; I’ll say it again: Security requires visibility. Many security vendors understand this—the need for pervasive visibility to analyze network traffic for threats, anomalies, and lateral malware movement. However, no matter how sophisticated security solutions have become, they’re still only as good as the network traffic they see. And what can help with this? A security delivery platform (SDP).
An SDP is designed to give security tools full access to network traffic and network metadata. In the case of the GCMAN hack, an SDP would have delivered full visibility to the traffic of those hackers as they looked to identify computers on the domain that handled financial transactions. In turn, the behavioral analytics devices that are fed this traffic could have flagged the flurry of activity as anomalous against benchmarks and perhaps detected the infiltration much sooner than the 18 months it actually took.
And how sweet would it be in these cases to deliver the line (again and again): I gotcha!